Cyber Security – Common Sense Guidelines
As a service to our users, we have put together this document designed to give a basic understanding of cyber security best practices.
It is asked that you spend about twenty minutes to read and understand the following cyber security advice, both to help keep your new Domains safe from domain hijacking, and to protect all of your important accounts. Basic cyber security knowledge should be considered a necessity for every individual who uses the Internet in any business, professional, or financial context.
This document is not exhaustive – there is much to be written on the subject. Nor can it guarantee you will never fall victim to a cyber attack. It aims to be an easy to read overview of basic security ideas that should be understood and put in place by everybody who does any sort of business online.
Nothing is being sold here, and it is not mandatory to read; but as the results of a cyber infiltration can be catastrophic and very stressful, it is highly recommended.
A) Using Good Passwords
Strong passwords are the foundation of a secure cyber presence, the first line of defense against hackers. A strong password makes a variety of password cracking attempts less likely to succeed. In general, good passwords have three qualities: A) avoid the use of unaltered or common dictionary words, B) utilize a variety of symbols, capitalization, and numbers, and C) and are longer rather than shorter.
Using weak passwords such as 'bravo123', 'mypassword', or 'mylife1' will render you more vulnerable to a variety of attacks; it is strongly recommended to not use passwords such as these except on sites such as newspaper comments sections where a breach would not harm you.
One way to make a strong yet memorable password is to combine together two or three relatively obscure medium length words, and intersperse them with a few letters, symbol, and/or capitalization/spelling changes. Examples of very strong yet memorable passwords (please do NOT use any of these or derive your password in any way from them):
Very strong: 'carPet^perSist90()blinker', 'mAiDeN-voYage93!SAIL:'
Strong: 'carPet^per()Sist90', 'mAi93DeN—voYage!'
Still pretty strong: 'car@85Pet97%', 'mAi%%Den93==='
Too weak: 'Barber85'
A series of three or more uncommon words with just a couple numbers/symbols/changes can also be OK:
'FlicksUnderwriter#ApparentMiraclE88' is pretty easy to remember and still very strong – it does not have much randomness, but is very long.
On the other hand, complete randomness in a shorter password is OK too (never going beneath 8 characters length): 'meI52j:M', 'CER$siD#1y', 'zp%Opvq2<>I', etc.
Optionally, you can use one of several password generator websites readily available online.
Please treat any Domain Name Registrar accounts you may own as highly sensitive and requiring the highest level of password security. Other accounts that require a highly secure password are your business social media accounts, any account that is financial in any way, all accounts with government agencies, all business email accounts, passwords to access any aspect of your business web presence, cloud data accounts, backup services, online services such as collaboration tools, and any service that in any way stores customer information.
Remember: The hassle of using a secure password is NOTHING compared to the massive troubles a malicious hacker can cause!
Use a completely unique password for every important account your business uses. Do not share passwords between sensetive accounts, ever!
It is a good idea to change all of your sensitive passwords on a regular schedule; every three months is a common interval.
B) Email Security
It is important to remember that the security of all of your business-critical online accounts are only as secure as the email addresses associated with them. Do not make the mistake of setting strong passwords for your important accounts but weak passwords for the email address that can be used to reset their passwords.
Consider, also, creating a separate email account to be used only as the contact detail for your most sensitive accounts. Do not use this email for anything else, do not give this address out publicly. Attach a very high security password to it. Use it for your bank accounts, your web server, etc.
C) “Password Recovery” Systems
Malicious hackers often use 'password recovery' pages to try to break into accounts. It is important to select question/answer keys that are as obscure and difficult as possible. As an example, do not choose 'What was the Make of your first car? / Ford' as a question/answer pair. There are only a dozen or so possible answers, so this creates a dangerous security weakness. Just as in protecting a physical location, the security of an account is only as strong as the weakest entry point.
For highly sensitive accounts, some security experts recommend not answering 'password recovery' questions directly, but setting the answers to be strong, random passwords themselves that you then mark down along with the question (What was the Make of your first car? / meI52j:M'). This is particularly true of, say, a bank account where the potential harm of a breach can be catastrophic, but even if you lose your password and find yourself completely locked out you can still restore access by visiting a physical bank branch.
D) Storing your passwords:
There are a few ways to store your passwords. Let's go over them briefly:
1) Tried and true: Write them down on a piece of paper. This method has the advantage of being impervious to any sort of cyber attack, and is actually a sound method.
A few considerations to keep in mind. First, it can be dangerous to include website/username/password combinations all on one piece of paper. Consider writing them down in such a way that someone reading it will not have all three, such as abbreviating the site name or splitting this information over two piece of paper. Store this with your most sensitive documents, in a safe if possible. In this day and age, everyone carries high resolution cameras in their pocket, so never leave it lying out on your desk even if you step away for a minute. Also, make sure to write in a very deliberate, careful manner: differentiating 'l', '1', and 'I' for instance. Also, consider making a photocopy of this to be stored in a second secure location in case of fire or theft.
2) A bit more sophisticated: An encrypted Excel spreadsheet, stored on a USB flash drive.
This can be accomplished using either an encrypted flash drive (such as: http://www.kingston.com/en/usb/encrypted_security) or using an encryption program such as VeraCrypt to create an encrypted file on a flash drive. When not in use, store this USB flash drive with your confidential documents. Make sure to back this flash drive up onto a second flash drive. Make sure to use a very strong password for this. It is suggested to remove the flash drive whenever you leave your desk, because your computer is left unattended someone can make a copy of it in only a few seconds. Also, consider using acronyms for the target websites (ie, Chase Bank: 'C'), so that if someone does get their hands on the file, they won't immediately have the keys to the kingdom.
In many ways, this method is actually similar to #1, except that it saves you the trouble of typing passwords, protecting from keyloggers and allowing you to use arbitrarily long passwords. This is the method we use ourselves.
3) Password Managers: We tend to shy away from these, but they are probably safe enough. They aim to give a convenient, easy to use interface for storing all of your passwords, guarded by a master password. Many also include password generators. Password managers cost a bit of money, but not much. The main downside is that these put all your eggs in one basket; if anyone should get the master password, they will have full access to all of your digital accounts, including your email passwords. However, they are widely used. Some can use a fingerprint as a password, increasing security. While we do not endorse any, a few well known examples are KeePass, LastPass, 1Password, Dashlane, LoginBox, wwPass Black Book, RoboForm. Read an overview here.
4) Password Reset Every Time: For accounts you don't access very often, such as the Domain Name Registrar, make an absurdly long password by mashing the keys randomly, that you do not write down. Supply a high security email address as the account email. Whenever you need to access the site, go through the password reset procedure. A more viable option than it might seem at first glance, but obviously not for sites that are accessed on a regular basis.
5) Some Combination of the Above: You may consider using a password manager for important but not mission critical accounts such as online CRM software, but using the more secure paper and pen or encrypted spreadsheet for truly important software such as web server or bank accounts.
E) Two-Factor Authentication
It is advised to enable Two-Factor Authentication (TFA) on any important accounts where it is available. With TFA enabled on a website, any computer that has never logged in to the website before requires an additional verification of some sort, usually a code sent by text message to a designated cell phone. It requires both "something you know" (like a password) and "something you have" (like your phone), and thus greatly enhances account security.
It has become widely available in the last few years, and many companies such as Gmail/YahooMail/MS Outlook/Zoho, Facebook, Namecheap, and most banks and financial websites now support it. It provides an easy yet effective additional security barrier against unauthorized entry to your important accounts, and you should enable it wherever it is offered. However, keep in mind that if you find yourself in a situation where you need to log in to a TfA enabled website on a computer other than those you usually use that it will be necessary to keep the selected cell phone on hand if you want to access TFA enabled sites. An updated list of websites that support it can be found here.
F) Consider Real Time Monitoring: There are a variety of services that can send you emails or text messages if certain types of activity are detected. Examples include https://www.allclearid.com/ (for identity theft monitoring), https://www.billguard.com/ (Credit Card monitoring), or https://www.creditkarma.com/ (Credit Score monitoring), and https://sucuri.net/ (Website change monitoring). Please note we have not used any of these services and are not affiliated with them, they are merely suggestions to look into.
Additionally, your bank account may offer this as a service for account holders; the next time you visit or call your bank, ask – and activate if available.
G) Operating System (“OS”) Security
If a user is accessing any sensitive business-critical website, it is highly recommended to take every precaution to ensure that the computer you are accessing it from is not itself infected with any type of Malware, Virus, Keylogger, Spyware, etc.
While most computers have some type of Antivirus software running, it is important to remember that no Antivirus is perfect, and your computer may be in some way compromised even if you run a free or paid Antivirus Software.
At a minimum, it is recommended to regularly run full scans with the well regarded software 'MalwareBytes' on any Windows installation you access sensitive sites with, in addition to whatever other antivirus measures you already take.
Do not put off those annoying software and operating system update requests! It is all too easy to ignore them, or to press 'Later', 'Later', 'Later' for months on end. Please don't do this: the primary purpose of these is to patch up security holes that have been discovered in the software you use; once a security update is issues, malicious hackers know about the underlying breach and look to exploit computers that are not updated. Running updates as soon as they become available will keep you one step ahead.
Our recommendation is to simply only visit sensitive web services with the inherently safer and more secure Apple OSX or Linux operating systems, the two of which together have suffered from a tiny fraction of a percent the virus troubles Windows computers have over the years.
While OSX requires expensive hardware purchases, Linux can run on a wide variety of PCs and laptops. Linux can run entirely off a USB thumb drive, allowing you to boot any computer into secure, trusted state even if the hard drive is infested with viruses.
Consider setting aside one older laptop, that is running either a freshly installed copy of Windows or Linux, as your 'banking' computer. Only access trusted, high security sites with this computer and never use it for any other purpose; make a point of only visiting such sites using this computer.
As a 'Thank You' for being a conscientious reader, and for caring about your cyber security enough to read this section, AuthorityLocal shall send the winning bidder three (3) new USB flash drives, each with a bootable copy of a non-techie friendly and secure version of Linux.
These USBs will allow you to reboot any computer into an easy to use and inherently more secure session to perform sensitive tasks, or simply for daily use. Please send us your preferred shipping address after winning the auction to AuthorityLocal@gmail.com to claim these USB Drives.
And for those who don't know – you should not have a single Internet connected computer running Windows XP in your organization. It's just not safe to use now that it is no longer supported by Microsoft. Windows Vista installations should be upgraded to either 7 or 8.1, although unlike XP it is not inherently dangerous to use.
H) Hard Drive Encryption
All modern operating systems offer the capability to encrypt your entire hard drive. If this is done, even if someone steals your computer and physically removes the hard drive, it will be difficult for them to access the sensitive documents on it. Most modern computers have dedicated circuitry that allows you to do so without effecting the performance of your computer.. Google 'enable Bitlocker'/'enable FileVault' to read how to turn this on in Windows/OSX.
Two caveats: In the case of catastrophic hard drive failure, this makes the recovery process substantially more difficult – but if you are backing up, this shouldn't be an issue. And if you forget your login password, it will become very, very difficult to access the files on the disk.
Another option is to use VeraCrypt or similar to encrypt only the files you don't want to fall in the wrong hands.
I) Physical Security
Please be aware of two things: 1) It is advised to occasionally check your physical keyboard cable's connection to the computer itself if you are in an environment where there is a possibility that someone might put a physical keylogger on the computer; these can be as small as one joint on your finger and impossible to notice from afar. 2) The UEFI, or BIOS, is the name of the low level software that starts your system up. Every UEFI/BIOS will have a setup screen. If you do not password lock this, and your hard drive is not encrypted, anyone with a USB key can walk up and access all of the data on it easily by simply rebooting it, even if Windows or OSX is secured with a password.
J) Beware of Social Engineering Attacks
Never give any sensitive information, passwords, or customer information to anyone who initiates contact with you over the phone, email, or chat – no matter what. Social engineering (ie, tricking and manipulating people over the phone, through email, or through text chat) is a more commonly used tactic than many realize, and it is surprisingly effective because most people immediately let their guard down when talking to someone who claims to be an authority figure. Make sure every employee understands this as well – write a policy, and make sure it is well understood.
K) Avoid Phishers
If you receive an email that seems to come from any mission critical account, be careful about clicking links in it. If possible, log in from the front page of the website rather than clicking the link in the email. If you do click the link in the email, examine the web address in your browser's web address bar carefully to make sure it is exactly correct. If trying to log into MyBank.com, for instance, make sure the address isn't MyBank.XYZ.com or My-Bank.com – ONLY trust the single address you know to be correct.
L) Use Credit Cards rather than Debit Cards when paying online.
Credit cards offer much better fraud protection. If your Debit Card number falls into the wrong hand, your account can be drained and you will never see the money again. Not so with credit cards.
M) Consider removing your information from public indexes.
Various online 'people search' directories give out information, such as home address and date of birth, that could be used by someone attempting a 'social engineering' attack into your accounts. It's probably a good idea to take the time to remove yourself from these lists. Instructions can be found here.
N) Backing up your data using several different methods at once is recommended.
It's a side note from cyber security, but vitally important: for data that your business would be lost without, we recommend using ALL of A) an automated, online Cloud backup system (SpiderOak, Mozy, Carbonite, etc.) B) an automated software to save to an external hard drive and C) to regularly make an exact copy of that external hard drive and store this second hard drive at a separate physical location. This protects your data from all possible contingencies, even a once-in-a-million multiple failure scenario.
By employing strong passwords, two-factor authentication, and an OS that you are certain is not leaking the information entered into it, you make it much harder for cyber criminals to cause you grief.
This document has been prepared by AuthorityLocal.com; please contact us at AuthorityLocal@gmail.com if you have any questions about any material presented here.